March 14, 2015 By Shane Schick 2 min read

Google Apps has become an increasingly popular set of productivity tools for business users, but the discovery of a flaw that could allow cybercriminals to conduct email spoofing using the admin console may have some early adopters concerned.

Security researchers Patrik Fehrenbach and Behrouz Sadeghipour explained in a blog post how they found an imperfection that involves using a Google Apps domain name that hasn’t already been claimed by a customer. In a series of tests, they were able to commit email spoofing — in other words, sending out messages through someone else’s Google Apps domain.

Although there is no evidence cybercriminals have exploited the flaw, it represents a particularly dangerous threat. In many attempts to spread malware via email, cybercriminals are often forced to create phony or suspicious-looking addresses that may not look enough like the real thing. In this case, the Google Apps admin tool could let anyone impersonate a legitimate organization much more effectively if, for example, they were committing phishing attacks.

Likely to underscore the severity of the threat, researchers used the flaw to commit email spoofing from domains related to Google itself. ZDNet reported that “[email protected]” and “[email protected]” were among the variations used. It’s little wonder Google wasn’t just quick to fix the problem, but to award the researchers a prize of $500.

Unfortunately, this isn’t the first security issue involving Google’s business tools. As SecurityWeek pointed out, the admin console has also been plagued by a cross-scripting vulnerability as recently as two months ago. The fact that Google fixed the email spoofing problem by simply adding “[email protected]” for unverified domains shows how simple some of these attacks are becoming.

It’s also rather ironic that, in December, Google introduced a series of enterprise security features for Google Apps. These included a Devices and Activities Dashboard, as explained by the Financial Post, that would help administrators monitor for questionable behavior. Nevertheless, one might argue that hijacking email domains could be even worse.

Over the next week, Google may offer a more comprehensive fix for email spoofing, The Hacker News said. In the meantime, it’s always best to consider that, if an email message looks a little off, it probably is.

Image Source: Flickr

More from

Hacking the mind: Why psychology matters to cybersecurity

4 min read - In cybersecurity, too often, the emphasis is placed on advanced technology meant to shield digital infrastructure from external threats. Yet, an equally crucial — and underestimated — factor lies at the heart of all digital interactions: the human mind. Behind every breach is a calculated manipulation, and behind every defense, a strategic response. The psychology of cyber crime, the resilience of security professionals and the behaviors of everyday users combine to form the human element of cybersecurity. Arguably, it's the…

Stress-testing multimodal AI applications is a new frontier for red teams

5 min read - Human communication is multimodal. We receive information in many different ways, allowing our brains to see the world from various angles and turn these different "modes" of information into a consolidated picture of reality.We’ve now reached the point where artificial intelligence (AI) can do the same, at least to a degree. Much like our brains, multimodal AI applications process different types — or modalities — of data. For example, OpenAI’s ChatGPT 4.0 can reason across text, vision and audio, granting…

Cybersecurity awareness: Apple’s cloud-based AI security system

3 min read - The rising influence of artificial intelligence (AI) has many organizations scrambling to address the new cybersecurity and data privacy concerns created by the technology, especially as AI is used in cloud systems. Apple addresses AI’s security and privacy issues head-on with its Private Cloud Compute (PCC) system.Apple seems to have solved the problem of offering cloud services without undermining user privacy or adding additional layers of insecurity. It had to do so, as Apple needed to create a cloud infrastructure…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today